Mounting a filesystem located on a partition of an image of a disk

 

Mounting a filesystem located on a partition of an image of a disk

Need

Mounting a filesystem located on a partition of an image of a disk

Context

The following describes the circumstances under which the following solution makes sense:

1. It is understood by the entire disk image, the images that include the disk partition table. For example a picture of the device / dev / sda includes partitions as possible in sda sda1, sda2, etc.
2. The image must be flat, that is to be extracted with tools like dd and not as Encas tools that generate the images in a proprietary format that includes headers with target information.
3. Note: This solution has been tested on GNU / Linux Debian Lenny with images of disks partitioned with NTFS format

Solution

You must create a virtual block device to read the information on the disk and then create other virtual blocks for each partition as the movement indicated in the partition table. Losetup tool to be used in operating systems to GNU / Linux Debian Lenny is in the package mount. This tool allows you to create loop devices. According to [2] loop kind of a device, also known as disk VND (vnode) or lofi (loopback interface file) is a pseudo device that lets you access a file as if it were a block device.

1. How is understood in the present context, it is assumed that already have images of the discs, and these images are not complete on disc on a specific partition.

* For more information on how to create these images to see the [solution regarding this need]]

2.It takes time as an example the following image of a disc from an application server with the Windows operating system and you have two partitions, the first identified as C: contains information from the operating system and the second D contains data from the user.

-r-------- 1 root root 68G 2008-09-16 15:46 appserver1_disk2.dd

3. It assigns a block device, which is not currently in use, the image using the losetup, the switch-fy the image file. For more information on this command to see [1].

# losetup -f appserver1_disk2.dd

4. To find out which device has been assigned the command is executed with the option losetp -a

# losetup -a
/dev/loop0: [0811]:12 (/media/disk/appserver1_disk2.dd)

* It is noted that the device was assigned /dev/loop0

5. We can see the partition table of this device by using the command fdisk with the option-l parameter as the virtual device / dev/loop0. Besides using the-u option to partition sizes ARE given in sectors and not in the cylinder. This seráútil in subsequent steps done by what means.

# fdisk -lu /dev/loop0

Disk /dev/loop0: 72.8 GB, 72833695744 bytes
255 heads, 32 sectors/track, 17433 cylinders, total 142253312 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x0b3a0b3a

Device Boot Start End Blocks Id System
/dev/loop0p1 * 32 30722399 15361184 7 HPFS/NTFS
/dev/loop0p2 30722400 142245119 55761360 7 HPFS/NTFS

* Se observan dos particiones /dev/loop0p1 que inicia en el sector 32 y /dev/loop0p2 en el sector 30722400

* Se observa que los sectores son de 512 bytes

6. So far there is a block device in / dev/loop0 which has two poarticiones / dev/loop0p1 and / dev/loop0p2, however these devices related to the partitions do not exist as such in the file system, is simply the way it appoints Partitions fdisk identified. To access the information on the disk be mounted partitions and to achieve this using the command losetup using the-o parameter that receives as the displacement or offset in bytes from where begins the partition that you want to be represented with a new device type loop.

7. It is estimated the offset (in bytes) of the / dev/loop0p1 and / dev/loop0p2 which began as fdisk-lu in the sector 32 and sector 30722400, respectively, and with 512-byte sectors.

$ echo $(( 512*32 ))
16384
$ echo $(( 512*30722400 ))
15729868800

* The partition / dev/loop0p1 starts at byte 16,384

* The partition / dev/loop0p2 starts at byte 15729868800

8. Devices are generated for each partition blocks with the command losetup in the same manner as was done to the image of the disc but this time must be specified on the device offset the initial / dev/loop0 which is the disk that contains partitions that are want to mount.

# losetup -fo 16384 /dev/loop0
# losetup -fo 15729868800 /dev/loop0

9. Checking the allocation of devices with the command losetup-a

# losetup -a
/dev/loop0: [0811]:12 (/media/disk/appserver1_disk2.dd)
/dev/loop1: [000d]:2285 (/dev/loop0), offset 16384
/dev/loop2: [000d]:2285 (/dev/loop0), offset 15729868800

* It is noted that the first partition to offset 16,384, previously referred to it as it is now possible loop0p1 referenced thorough device / dev/loop1 equally device / dev/loop2 represents the second partition with offset 15729868800 bytes on / dev / loop0

10. devices now have 3 blocks / dev/loop0, / dev/loop1 and / dev/loop2 where / dev/loop0 represents incluytendo entire disk partition table and that from now on will not be very useful can be said that he was transition in order to get the other devices / dev/loop1 and / dev/loop2 which now represent partition with NTFS format and can be mounted as follows:

# mkdir /mnt/appserver1/disk1p1 /mnt/appserver1/disk1p2
# mount /dev/loop1 /mnt/appserver1/disk1p1
# mount /dev/loop2 /mnt/appserver1/disk1p2

* If you're riding the images to make a forensic analysis recommends sse mount with the-r command to mount mounted read-only mode.

11. Finally it is possible to view the contents of these partitions on your point of assembly as any other file system

# ls /mnt/appserver1/disk1p1